2.6 C ONFIGURING U SER M ANAGEMENT IN ERP E-C OMMERCE
2.6.3 Configuring the Authorization Concept in ERP E-Commerce
Use
You can assign authorization roles to users in ERP E-Commerce to determine the activities and transactions they can carry out. For example, you can determine whether a B2B Web shop user can create orders, or only display them. Or, for example, if an internal employee can manage the Auctioning via Web Shop application. Assigning authorization roles to users results in the system performing background checks on the users’ permissions and restricting the tasks they can carry out accordingly.
Users can only access menus and transactions relevant to them and their Web-based application authorizations match their backend user authorizations.
SAP delivers a standard set of authorization roles for use in ERP E-Commerce. This means all authorization values are specified and you only need to generate the user profiles. However, several authorization objects have been assigned full authorizations values since they are based on customizing and master data. This means that certain functions are enabled which you may not be using in your Web shop, and also the permission levels they give to users may not meet your requirements. SAP therefore recommends that you copy the standard roles, rename them, and modify them before use. This will improve security.
The authorization roles provided are for the user type SU01 only. The SU05 user concept does not support the assignment of authorizations to SU05 users or Single-Sign-On (SSO) functionality. Therefore, SAP recommends you use SU01 users to improve security. You can migrate existing SU05 users to SU01 users in the backendobject-cogig.xml file. For more information, see SU05 to SU01 User Migration in ERP E-Commerce.
If you do have to use SU05 users you have to assign authorizations to the service user. SU05 users are based on the anonymous service user concept, whereby the service user has full application functionality.
Therefore, if you have user roles and service user roles that exist for one application only, you can assign these roles to the service user and the SU05 users can be supported by the authorization concept.
Procedure
Copy roles
You copy the standard delivered roles in your SAP ERP system as follows:
1. In the SAP Easy Access Menu choose Tools →Administration → User Maintenance → Role Administration → Roles (Transaction PFCG).
2. Enter the standard role in the Role field and select Copy Role.
3. Specify a new name for your local role and select Copy selectively.
4. Deselect all the checkboxes in the Choose Objects dialog box and select Continue.
5. The copied role is now created and you can generate the authorization profile.
6. Select Change. The system displays the roles details.
7. On the Authorizations tab page select Change Authorization Data. The system displays the authorization objects contained in the authorization role.
8. Select the Generate icon and change the profile name if required. The system creates a profile.
Modify roles
Once you have created a profile you can change the authorization objects and values in the role to meet your requirements.
1. In the SAP Easy Access Menu choose Tools → Administration → User Maintenance → Role Administration → Roles (Transaction PFCG).
2. Enter the name of your authorization ole in the Role field and select Change. The system displays the roles details.
3. On the Authorizations tab page select Change Authorization Data. The system displays the authorization objects contained in the authorization role.
4. Select the authorization object you wish to change and expand the view to display all the authorization values.
5. Select Change (pencil icon next to the value). The system displays a dialog box with all values for the authorization object for your selection.
6. Select the appropriate value(s) and Save your selection.
7. Regenerate the user profile as described above.
Standard delivered roles
For a list of the standard roles delivered by SAP for the ERP E-Commerce, see Authorization Roles in ERP E-Commerce.
Assign authorization roles to users
You can assign the authorization roles to users in backend user creation in ERP and in Web-based User Management application.
Create a user
Create a new user in the Web-based User Management application. Assign the business partner and company to the user.
The same user components are created for the user in the Web-based User Management application as would be if the user was being created in the ERP backend system. That is an SU01 user of user type Dialog, a business partner (Contact person), a company (customer) In the backend system the Web shop Manager would proceed as follows:
Create a business partner in the account group of Sold-to party.
In the SAP Easy Access Menu choose Logistics → Sales and Distribution → Master Data
→ Business Partner → Customer → Create → Sales and Distribution (transaction VD01).
For more information, see Creating and Changing Business Partner Master Data.
On the Contact persons tab page enter the details for a contact person for this customer and fills in all necessary fields. The system automatically assigns an ID to the new contact person.
Create a user in the ERP system (transaction SU01).
In the SAP Easy Access Menu choose Tools → Administration → User Maintenance → Users (transaction SU01).
Select References and fill in the object type and key.
o The object type must be BUS1006001 Business partner employee.
o The Key is the contact persons ID created automatically by the system in the first step above.
o KNA1 is the type and the customer number is the key.
For more information, see User Maintenance Functions.
Backend user creation role assignment
In the SAP Easy Access Menu choose Tools → System Administration → User Maintenance → Users (transaction SU01). Select the user you created in the step above. On the Roles tab page enter the role you wish to assign to the user. Any roles you have created in role maintenance are available for your use.
Web-based User Management application role assignment
When creating a user in the Web-based user management application the system displays a list of modified authorization roles for your selection. You select the role you want and assign it to the user.
You make the roles available in the Web-based User Management application by entering them in the Customizing area of the application. They are then available for selection during user creation..
You can assign the authorization roles to users directly or by assigning them to reference users, and then assigning the reference user to the user.
Role assignment for self-registered users
In the ERP E-Commerce B2C Web shop users self-register. Therefore you cannot assign authorizations directly to these users. Instead, you have to use a reference user. You create a user of the type
Reference in your ERP backend system (transaction SU01) and assign the authorization role you wish your self-registered users to have to the reference user. When a customer registers in the Web shop the system looks for the reference user assigned to the Web shop and assigns it to the customers user record. The user inherits all authorizations assigned to the reference user and carry out all necessary activities in the Web shop.
You assign the reference user to a Web shop using the Shop Management application. On the General Information tab page in Shop Management the system administrator enters the reference user ID in the Reference User field. When a user logs on to this Web shop the system will read the reference user ID entered for the shop and assign this reference user to the new user in the backend system.
For more information on user creation and authorization assignment, see the ERP E-Commerce user management documentation in the SAP Library.
Authorization Roles in ERP E-Commerce Use
You assign authorization roles to your users in ERP E-Commerce to determine which applications they can enter and the tasks they can carry out in these applications. There are two types of authorization roles provided by SAP:
For service users
There is a service user role for each Web-based application to provide an RFC connection between the Web-based application and the backend ERP system.
For Internet users
There are various user roles provided by SAP for the different Web-based applications. You assign these to your customers and employees so that they can carry out various tasks and activities in the Web-based applications. There are different roles for each of the Web-based applications, determining
the permissions the user has once logged on. For example, the roles determine whether the user can only display orders or also change orders.
SAP delivers standard authorization roles which you can change and modify to meet your needs. These roles contain authorization objects which determine which permissions a user has in an application. You can modify the authorization objects within the roles to change the permissions. For example in the role for the B2B Web shop user you can determine if the user can only display a sales order or whether the user can also create and change a sales order. For a full list of the document authorizations for the Business-to-Business (B2B) scenario, see Document Authorizations in ERP E-Commerce.
Features
The table below lists the various service user roles that are delivered in the standard SAP shipment for ERP E-Commerce Web-based applications. along with the user and service user roles that are delivered in the standard SAP shipment. You should create local copies of these roles and modify them.
Service User Role Consists of Following Roles Description SAP_ISA_B2C_RFC SAP_ISA_SUB_USER_MANAGER
SAP_ISA_SUB_RFC
SAP_ISA_SUB_CUSTOMER_CREATE
Service user authorization role for RFC connections for B2C Web shop.
SAP_ISA_B2B_RFC SAP_ISA_SUB_RFC SAP_ISA_SUB_CUSTOMER_READ
Service user authorization role for RFC connections for B2B Web shop.
SAP_ISA_SHOPMGMT_RFC SAP_ISA_SUB_RFC Service user authorization role for RFC connections to Shop Management application.
SAP_ISA_UADM_RFC SAP_ISA_SUB_RFC Service user authorization role for RFC connections to Web-based User Management application.
The table below lists the various Web-based application along with the user and service user roles that are delivered in the standard SAP shipment. You should create local copies of these roles and modify them:
Application User Authorization Role
Consists of following roles Description Service User B2C SAP_ISA_B2C_FUL B2C Web shop users.
Assigned to the reference user and inherited by B2C Web shop users during self-registration in the Web shop.
Application User Authorization Role
Consists of following roles Description Service User _READ
User can carry out all transactions and activities in the B2B Web shop. the Web shop internal users scenario. can create and maintain Web shops. for companies to which he is assigned and
SAP_ISA_UADM _RFC
Application User Authorization Role
Consists of following roles Description Service User RUSER
SAP_ISA_SUB_CUSTOMER _CREATE
create Web shop users.
SAP_ISA_UADM_M and Web shop users for all companies.
Example
You want to create a user for your B2B Web shop. You create a service user for the B2B Web shop application and a service user for the Web-based User Management application in your backend ERP system (transaction SU01). You assign the service users to the applications in Extended Configuration Management (XCM). You take the standard SAP role for a B2B Web shop user SAP_ISA _B2B_FULL in the ERP system (transaction PFCG), copy it, and modify the authorization objects to meet your needs.
For example, you remove the authorization object for creating orders. You assign the authorization role to Web-based User Management in the Customizing area of the. You log on to Web-based User
Management, create a user and assign the modified B2B Web shop role to the user. The user can now log on to the B2B Web shop and carry out the tasks enabled in the authorization role.
Document Authorizations in ERP E-Commerce Use
Certain Web-based applications support the use of documents, for example the B2B Web shop supports the use of the transaction type order. The following applications support document permissions:
Business-to-Business (B2B)
Business-on-Behalf or B2B for Internal Users (BOB)
For these applications SAP provides different authorization roles to support different document authorizations. You can modify the delivered roles and change the document permissions in the roles.
The table below shows the different authorization objects available for various document types, and the permissions available for them which you can modify. For more information on modifying roles, see Configuring the Authorization Concept in ERP E-Commerce.
Object Permissions Roles
Object Permissions Roles
ERP E-Commerce User Management and SAP NetWeaver Portal Purpose
You can run ERP E-Commerce in the SAP NetWeaver Portal. Several Business Packages contain IViews to integrate ERP-Commerce. You can find information on how to integrate ERP E-Commerce into the portal in the Business Package documentation in the SAP Library.
An important factor in running ERP E-Commerce in the portal is user management. To enable the applications to run together you need to map the users for both applications and also select a logon procedure. In order to provide a seamless integrated user interface between the portal and the
E-Commerce application you need to enable Single-Sign-On (SSO) functionality. This means that when the user logs on to the portal he is only requested to verify his credentials at the start, and not for each application that he the proceeds to use within the portal environment.
The SAP NetWeaver Portal logon procedure is based on the functionality provided by the User Management Engine (UME), which is built into the SAP Web AS Java 6.40 and later versions. The UMEgenerates an SSO ticket when a user logs on to the portal. The SSO ticket is used by the system when a user enters the E-Commerce IView. This means that the users for the portal and the E-Commerce application need to have the same user IDs and the user type for the E-Commerce user is that of SU01 user ID. You set the user type for the E-Commerce user in the Extended Configuration Management (XCM) application for the E-Commerce Web-based User Management tool. For more information on mapping portal and E-Commerce users in UME, see E-Commerce with UME.
The ERP E-Commerce release for ERP 2005 can only be integrated with the SAP NetWeaver Portal.
Type: Transaction
Logical Component: SAP ECC
Object: SU01
Name: User Maintenance
Type: Transaction
Logical Component: SAP ECC
Object: SU05
Name: Maintain Internet Users
Type: Transaction
Logical Component: SAP ECC
Object: PCFG
Name: Role Maintenance